[rfc][icedtea-web] (PR1264) Run in Sandbox button

Omair Majid omajid at redhat.com
Wed Feb 26 09:54:45 PST 2014 

* Andrew Azores <aazores at redhat.com> [2014-02-26 12:13]:
> "implementation" can be applied on its own, but it doesn't actually
> do anything. It essentially just sets up the classloader to be able
> to run applets sandboxed. "dialog" adds the ability to make the
> classloader do this by adding a button for it.

I will review them separately.

> diff --git a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> --- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java

The JNLPClassLoader class is hairy enough and this is making it more
complex. Would it be possible to extract all the
security-decision-making code into a new class that JNLPClassLoader can
delegate to, instead?

I mean it is probably okay to have conditionals based on
getRunInSandbox() this time, but one more conditional like this and the
code will be next to impossible to maintain.

> @@ -386,8 +391,12 @@
>  
>          // If security level is 'high' or greater, we must check if the user allows unsigned applets 
>          // when the JNLPClassLoader is created. We do so here, because doing so in the constructor 
> -        // causes unwanted side-effects for some applets
> -        if (!loader.getSigning() && file instanceof PluginBridge) {
> +        // causes unwanted side-effects for some applets. However, if the loader has been tagged
> +        // with "runInSandbox", then we do not show this dialog - since this tag indicates that
> +        // the user was already shown a CertWarning dialog and has chosen to run the applet sandboxed.
> +        // This means they've already agreed to running the applet and have specified with which
> +        // permission level to do it!
> +        if (!loader.getSigning() && !loader.getRunInSandbox() && file instanceof PluginBridge) {
>              UnsignedAppletTrustConfirmation.checkUnsignedWithUserIfRequired((PluginBridge)file);
>          }

I would create a method named `isUserAlreadyPrompted()` and use that
instead of `loader.getRunInSandbox()`

All in all, I am quite happy how this patch is not very invasive, given
that it touches one of the more sensitive classes in the codebase.

Thanks,
Omair

-- 
PGP Key: 66484681 (http://pgp.mit.edu/)
Fingerprint = F072 555B 0A17 3957 4E95  0056 F286 F14F 6648 4681

More information about the distro-pkg-dev mailing list